Young Asian businessman working overtime in a dark office


  • Cyber Resilience


How can organizations improve their crisis management?

The way in which an organization responds to and recovers from a crisis can make the difference between its ultimate success or failure. A new international standard was published in October 2022 to provide guidance to help organizations plan, establish, maintain, review and continually improve their strategic crisis management capability.

Kev Brear, our Head of Governance, Risk & Compliance and a practitioner with more than 20 years’ experience in crisis management, has played an important role in developing this new international standard and previous national and international standards in the same area. He explains here how organizations can improve their crisis management response, and what the new ISO standard is designed to achieve.

What do we mean when we talk about a crisis?

A crisis is a low-frequency, high-impact event that creates strategic-level challenges for an organization and as a result requires a strategic-level response. It’s important to stress that a crisis is rare and unique. We often think of a crisis in terms of a big, visible event such as a cyber attack or civil emergency, but a crisis can be triggered by less obvious events. This could include an event that is purely reputational – such as a breach of ethics – or by a failure in an organization’s structures or processes, which stops it from functioning effectively.

At its extreme, a crisis can result in the end of a company – Pan Am, for example, filed for bankruptcy two years after the Lockerbie disaster but it was in severe financial distress for at least a decade before the crash. Lockerbie was the crisis that tipped the company over the edge.

What has caused confusion in the past is that many people use the word ‘crisis’ when they mean something else – which may well be an emergency, but which does not require a strategic-level response. This can create misplaced confidence in an organization’s abilities to deal with a genuine crisis when it strikes.

Why is crisis management important?

It’s essential that every organization has a plan to protect itself in the event of a crisis. Research shows that after a crisis, an organization’s share value typically falls sharply and then, once the crisis management process kicks in, the share price tends to stabilize and then recover, depending on how well the organization is perceived by the markets to be handling the crisis. But if an organization does nothing, the share price will continue to plummet. In other words, crisis management has a financial value.

How does crisis management differ from business continuity?

An organization cannot be truly resilient unless it has an effective crisis management structure in place. Business continuity focuses on business impact analysis rather than strategic response. The pandemic challenged a lot of our thinking around business continuity – a business continuity plan won’t save a high street retail business, for example, if no-one can leave their house. Businesses had to adapt very quickly to survive – and those that did, such as the businesses that switched to producing hand sanitizer, turned a crisis into an opportunity.

Kev Brear Nortal's Head of Governance, Risk & Compliance

– Kev Brear, Head of Governance, Risk & Compliance

Many people use the word ‘crisis’ when they mean something else. This can create misplaced confidence in an organization’s abilities to deal with a genuine crisis when it strikes.

How does crisis management differ from a cyber breach response?

Most cyber breaches are an incident rather than a crisis – meaning that while they have the potential to cause disruption and loss, they don’t require a strategic response. That said, some cyber breaches can escalate quickly into a crisis. It’s vital that organizations can recognize when the situation is changing and adapt its response. Cyber breaches tend to be seen purely as the responsibility of tech people, but the business still needs to make a profit, fulfil its purpose, meet its obligations and maintain its share price or value.

What does effective crisis management look like?

A crisis requires resources, the setting of a clear strategy to protect operational resiliency, and the involvement of senior leaders. A crisis will also have distinct phases – the initial phase when the crisis strikes, the response phase, stabilization, recovery and finally the return to a stable operating environment.

An effective crisis management capability has several elements: a governance and ethical framework, organizational structure, adequate resources, competent individuals, and the right leadership skills and culture that encourages the organization to learn and improve.

What does the new ISO 22361 (Security and Resilience – Crisis Management – Guidelines) do?

The standard was developed to help organizations design, develop and improve their crisis management capability. Because flexibility is important, the standard takes a principles-based approach, setting out a list of seven principles from which a crisis management framework can be developed and implemented.

It also sets out a clear and agreed definition of a crisis for the first time: ‘An abnormal or extraordinary event or situation that threatens an organization or community and requires a strategic, adaptive and timely response in order to preserve its viability and integrity’. The standard sets out the distinction between a crisis and another adverse event, as well as the requirements of an effective crisis management framework, and a description of recommended best practices.

Why do we need this ISO?

Before this ISO, there was no agreed benchmark of what ‘good’ crisis management looked like. The new standard will help organizations improve their resilience, but also provides a benchmark for organizations that want to invest in crisis management training, consulting, and other services – this is a growing industry and it’s important that people know what to look for when they are using these services.

What do organizations need to do to implement the standard?

There are three important next steps for organizations. First, it’s important that the right people know about the ISO and what it means for the organization – that means briefing strategic leaders, top management, and the leaders and members of the crisis management team. Second, we recommend that organizations carry out a gap analysis to understand what needs to be done to strengthen the organization’s resilience and crisis management system. Then, a clear plan needs to be developed and implemented to fill in any gaps that are identified.

Cyber resilience demonstrated by female military officer to two male officers

Build up your resilience

We have years of experience of helping our clients deal with crises and build up their resilience, including testing preparedness through scenario exercises. We take an end-to-end approach, supporting clients at all stages of crisis management, from creating an effective crisis management strategy to providing support through crisis response and recovery.

Find out more

Related content


Computer in the dark
  • Cyber Resilience

Webinar: Exploring the dark side of the web

What do cyber criminals want from your business? In this webinar, we explore the dark side of the web and how to protect your business.


Football tactics table to go through cyber security exercises
  • Cyber Resilience

Cyber exercises as a business enabler in a hyper connected age

How would your people react to a cybersecurity emergency? Cyber exercises test your organization so you can become truly cyber-resilient.


Computer with a sign to inform about things to pay attention to from cybersecurity to market advantage
  • Cyber Resilience
  • Enterprise

Why NIS 2.0 represents an opportunity for companies?

From cybersecurity to market advantage. The EU Network and Information Security (NIS) Directive has been in force since 2016 and aims to improve cyber security in Europe. The new version brings some changes that affect companies in comprehensive industries.

Get in touch

Let us offer you a new perspective.